CVE-2026-32301 is a critical SSRF vulnerability affecting Centrifugo, an open-source real-time messaging server, in versions before 6.7.0. The flaw exists when Centrifugo is configured to fetch JSON Web Key Sets (JWKS) from a URL that includes template variables (e.g., {{tenant}}), which are dynamically replaced based on JWT claims such as iss (issuer) or aud (audience). An attacker can craft a JWT with maliciously controlled iss or aud values that get interpolated into the JWKS URL before the JWT signature is verified. Because signature verification depends on fetching keys from the JWKS endpoint, this interpolation causes Centrifugo to make an outbound HTTP request to an attacker-controlled server. This SSRF can be exploited without authentication or user interaction, allowing attackers to scan internal networks, access internal services, or exfiltrate data indirectly. The vulnerability impacts confidentiality severely, as it can expose internal resources or sensitive data. The integrity impact is limited to partial manipulation of request destinations, and availability is not directly affected. The vulnerability is fixed in Centrifugo 6.7.0 by removing unsafe interpolation of JWT claims into JWKS URLs. No public exploits have been reported yet, but the high CVSS score (9.3) reflects the ease of exploitation and critical impact. The vulnerability is tracked under CWE-918 (SSRF).

The primary impact of this vulnerability is the potential exposure of internal network resources and sensitive information due to SSRF. Attackers can leverage this to access internal services that are otherwise inaccessible externally, potentially leading to data leakage, reconnaissance, or pivoting attacks within an organization's infrastructure. Confidentiality is highly impacted as attackers can induce Centrifugo to make requests to arbitrary internal or external endpoints. Integrity impact is low since the attacker cannot directly modify data but can influence request destinations. Availability is not significantly affected. Organizations running vulnerable Centrifugo versions with dynamic JWKS URLs are at risk of unauthorized internal network scanning and data exposure. This can be particularly damaging in environments where Centrifugo is deployed in sensitive or segmented networks. The lack of required authentication and user interaction makes exploitation straightforward for remote attackers. The widespread use of Centrifugo in real-time messaging scenarios means that many organizations could be affected, especially those using multi-tenant or dynamic JWKS configurations.

1. Upgrade Centrifugo to version 6.7.0 or later, where this SSRF vulnerability is fixed. 2. Avoid using dynamic template variables in JWKS endpoint URLs, especially those interpolated from untrusted JWT claims such as iss or aud. 3. If dynamic JWKS URLs are necessary, implement strict validation and sanitization of JWT claims before interpolation to prevent injection of malicious values. 4. Restrict outbound HTTP requests from Centrifugo servers via network-level controls such as firewall rules or egress filtering to limit access to only trusted JWKS endpoints. 5. Monitor logs for unusual outbound HTTP requests from Centrifugo instances, which may indicate exploitation attempts. 6. Employ network segmentation to isolate Centrifugo servers from sensitive internal resources to reduce SSRF impact. 7. Conduct regular security assessments and penetration testing focusing on SSRF vectors in your environment. 8. Educate developers and administrators about the risks of dynamic URL interpolation and secure JWT validation practices.